Here are the top stories you might have missed:
European Commission releases draft of acceptable SCCs
The European Commission has released a draft set of new standard contractual clauses and a “draft implementing decision,” National Law Review Reports. The news follows the invalidation of the EU/U.S. Privacy Shield agreement earlier this year. The draft release, which allows for two types of data transfers, does not completely align with guidance released by the European Data Protection Board on its own expectations for data transfers, the report states, and will now face public consultation, as well as review by both the EDPB and the European Data Protection Supervisor.
2. Court slashes German telecom’s GDPR fine
A German telecom company that had been fined 9.55 million euros for a breach of the EU General Data Protection Regulation will now pay just 900,000 euros. In 2019, German Federal Commissioner for Data Protection and Freedom of Information accused company 1&1 of “failing to comply with technical and organizational measures to protect personal data,” Telecompaper reports, but a German court ruled the fine was “disproportionate.”
3. Schrems lodges complaint against Apple with two DPAs
Privacy advocate Max Schrems is making news again after his advocacy organization, NYOB, filed two new complaints, this time against Apple over its “Identifier for Advertisers,” which allows third parties to track users, TechCrunch reports. NYOB filed the complaints with the German and Spanish data protection authorities, alleging Apple’s IDFA violates privacy laws “because iOS users are not asked for their consent for the initial storage of the identifier,” the report states.
4. ICO fines Ticketmaster UK over data breach
The U.K. Information Commissioner’s Office has fined Ticketmaster UK 1.25 pounds after a data breach exposed customers’ personal data. Following a cyberattack in 2018 affecting 1.5 million U.K. residents (and 9.4 million across Europe generally), the ICO found Ticketmaster UK “failed to keep its customers’ personal data secure,” TechRader reports. The breach included names and payment card number data.
5. Hong Kong government launches contact-tracing app
Hong Kong released a voluntary contact-tracing app this week in an effort to thwart the spread of COVID-19. Norton Rose Fulbright’s blog reports the Hong Kong government launched the app, called LeaveHomeSafe, this week. To participate, users can scan the QR code of participating venues. Thus far, approximately 6,000 private and public venues have signed on to the effort.
6. Delaware COVID tests leak 10,000 residents’ personal data
The Delaware Division of Public Health announced a breach involving the personal data of 10,000 Delaware residents who were tested for COVID-19. WHYY News reports the breach was detected Sept. 16 and occurred when a “temporary staff member sent two unencrypted emails in August to an unauthorized user” containing the residents’ COVID-19 test results. Those impacted are being notified by mail.
7. Dutch privacy group pushes for investigation into Palantir
The Foundation for Market Information Research, a Dutch privacy advocacy group has called for an investigation into data analytics firm Palantir. ComputerWeekly reports that the group wants to “raise awareness about European governments’ collaboration with tech companies from outside the EU on surveillance and profiling technology.
8. Popular children’s app breached
A gaming company that makes a popular children’s app has announced a data breach. WildWorks powers Animal Jam, one of the top-five games in Apple’s App Store in the U.S. for children ages 9-11, TechCrunch reports. According to WildWorks, the breach was uncovered in November after a hacker stole 46 million Animal Jam records, as well as 7 million parent email addresses.